Journal of Network and Systems Management

, Volume 15, Issue 3, pp 401–415 | Cite as

High-Speed Dynamic Packet Filtering

  • Luca DeriEmail author


One problem encountered while monitoring gigabit networks, is the need to filter only those packets that are interesting for a given task while ignoring the others. Popular packet filtering technologies enable users to specify complex filters but do not usually allow multiple filters to be specified. This paper describes the design and implementation of a new dynamic packet filtering solution that allows users to specify several IP filters simultaneously with almost no packet loss even on highly-loaded gigabit links. The advantage is that modern traffic monitoring applications such as P2P, IPTV, and VoIP, monitoring and lawful interception can dynamically set packet filters to efficiently discard packets into the operating system kernel according to traffic, calls, and users being monitored.


Passive packet capture Packet filtering Traffic monitoring Linux kernel 



The author would like to thank Alexander Tudor <> for the several discussions about bloom filters, and RCS Lab for partially funding this research work.


  1. 1.
    The DAG Project, University of Waikato, Scholar
  2. 2.
    Napatech A/S, The Napatech Traffic Analyzer Solution—White Paper (2005)Google Scholar
  3. 3.
    Kratochvíla, T., et al.: Verification of COMBO6 VHDL Design, CESNET Technical Report 17/2003 (2003)Google Scholar
  4. 4.
    Schuba, C.L., et al.: Scaling network services using programmable network devices. Computer, 38(4), 52–60 (2005)Google Scholar
  5. 5.
    Taylor, D.E.: Survey and Taxonomy of Packet Classification Techniques, Tech. report WUCSE200424, Dept. Computer Science and Eng., Washington University (2004)Google Scholar
  6. 6.
    Biswas, A.: A high performance real-time packet capturing architecture for network management systems. Masters Thesis, Concordia University (2005)Google Scholar
  7. 7.
    Deri, L.: nCap: Wire-speed packet capture and transmission, E2EMON, May (2005)Google Scholar
  8. 8.
    Degioanni, L., Varenni, G.: Introducing scalability in network measurement: Toward 10 Gbps with commodity hardware. In: Proceedings of IMC ‘04 (2004)Google Scholar
  9. 9.
    Eppstain, D., Muthukrishnan, S.: Internet packet filter management and rectangle geometry. In: Proceedings of the 12th annual ACM-SIAM symposium on discrete algorithms (2001)Google Scholar
  10. 10.
    Woo, T.Y.C.: A modular approach to packet classification: algorithms and results. In: Proceedings of IEEE Infocom (2000)Google Scholar
  11. 11.
    Rogialli, C.: Today’s Challenges in Lawful Interception, RIPE 51, October (2005)Google Scholar
  12. 12.
    Zhou, L., et al.: P2P traffic identification by TCP flow analysis. In: Proceedings of IWNAS’06Google Scholar
  13. 13.
    Gong, Y.: Identifying P2P users using traffic analysis, Security Focus, (2005)Google Scholar
  14. 14.
    P-Cube Inc., Approaches to controlling peer-to-peer traffic: a technical analysis. White Paper (2003)Google Scholar
  15. 15.
    Juniper Networks, Filter-based Forwarding—Technology Note (2001)Google Scholar
  16. 16.
    Accetta, M., Rashid, R.: The Enet packet filter. Carnegie-Mellon University (1980)Google Scholar
  17. 17.
    McCanne, S., Jacobson, V.: The BSD packet filter: A new architecture for user-level packet capture. In: Proceedings of USENIX Conference (1993)Google Scholar
  18. 18.
    Begel, A., McCanne, S., Graham, S.L.: BPF+: Exploiting global data-flow optimization in a generalized packet filter architecture. In: Proceedings of SIGCOMM (1999)Google Scholar
  19. 19.
    Engler, D., Kaashoek, M.: DPF: Fast, flexible message demultiplexing using dynamic code generation, SIGCOMM’96 (1996)Google Scholar
  20. 20.
    Bos, H., et al.: FFPF: fairly fast packet filters. In: Proceedings of OSDI’04 (2004)Google Scholar
  21. 21.
    Xilinx Inc., Virtex-II Pro and Virtex-II Pro X Platform FPGAs: Complete Data Sheet, November (2004)Google Scholar
  22. 22.
    Intel Corporation, Intel IXP2800 Network Processor Datasheet (2002)Google Scholar
  23. 23.
    Bloom, B.: Space/time trade-offs in hash coding with allowable errors. Communications of the ACM, July (1970)Google Scholar
  24. 24.
    Baboescu, F., Varghese, G.: Scalable packet classification. ACM Sigcomm (2001)Google Scholar
  25. 25.
    Broder, A., Mitzenmacher, M.: Network applications of bloom filters: A survey. In: Proceedings of the 40th Annual Allerton Conference on Communication, Control, and Computing (2002)Google Scholar
  26. 26.
    Song, S., et al.: Fast hash table lookup using extended bloom filter: an aid to network processing. Washington University (2005)Google Scholar
  27. 27.
    Cormen, T., et al.: Introduction to Algorithms. Prentice Hall (1990)Google Scholar
  28. 28.
    Fan, L., others: Summary cache: a scalable wide-area Web cache sharing protocol. In: Proceedings of SIGCOMM ‘98 (1998)Google Scholar
  29. 29.
    Manolios, P.: Bloom Filter Calculator,∼manolios/bloom-filters/calculator.htmlGoogle Scholar
  30. 30.
    Deri, L.: Improving passive packet capture: beyond device polling. In: Proceedings of SANE 2004 (2004)Google Scholar

Copyright information

© Springer Science+Business Media, LLC 2007

Authors and Affiliations

  1. 1.Ntop.orgPisaItaly

Personalised recommendations